Reseller Data Processing Agreement

Last updated: December 18, 2024

This reseller data processing agreement (“DPA”) is an agreement between you and the entity you  represent or have the authority to bind that entity to this DPA (the “Reseller” or “you”), and  Chargebackhelp, LLC, a California limited liability company (“CBH”). This DPA forms part of any written or  electronic agreement between you and CBH (each, an “Agreement”) under which CBH Processes Personal  Information for the Reseller’s third-party customers for the Services (each, a “Participating Seller”),  except regarding any Agreement under which you and CBH have entered into data processing terms that  address the subject matter of this DPA. Capitalized terms used but not defined in this DPA will have the  meanings given to them in the Agreement.

1. Processing of Participating Sellers Personal Information.

1.1 Processor Designation. The parties acknowledge that CBH will Process the Personal  Information of the Reseller’s Participating Sellers to provide the Services, which  Processing may include, for example, the Processing detailed on the Details of Processing  Participating Seller Personal Information set out in exhibit 2. For the purposes of the Data  Protection Laws and the provisions of this DPA, the Reseller’s Participating Sellers will be  considered as controllers (or equivalent term under Data Protection Laws), the Reseller  will be considered a data processor, and CBH (as the “Sub-Processor” in this DPA) will be  considered a sub-processor engaged by the Reseller to carry out specific processing  activities for the Reseller’s Participating Sellers.

1.2 Authorization to Process. The Sub-Processor shall Process the Participating Seller  Personal Information to provide the Services, and the Sub-Processor may Process the  Participating Seller Personal Information solely in connection with the following activities:

(a) in accordance with the applicable Agreement, including, without limitation, any  exhibits, schedules, and applicable price schedule, to provide the Services, and  any Processing required under law or regulations;

(b) based on the Reseller’s instructions and in its use of the Services, the Sub Processor transfers the Participating Seller Personal Information to Verifi, Ethoca,  the Participating Sellers’ Data Subjects, acquiring banks, issuing banks, payment  processors servicing acquiring banks, credit and debit card companies, or other  service providers engaged in performing the Services for the Reseller’s  customers; and

(c) as reasonably necessary to enable the Sub-Processor to comply with any other  directions or instructions provided by the Reseller for the Reseller’s Participating  Sellers.

2. Compliance with Law. The Reseller shall, in its use of the Services, Process the Participating Seller  Personal Information in accordance with the requirements of Data Protection Laws. The Sub Processor shall, in its provision of the Services, Process the Participating Seller Personal  Information in accordance with the requirements of Data Protection Laws.

3. Reseller Obligations.

3.1 Regarding the Processing of the Participating Seller Personal Information by the Sub Processor under this DPA and the Agreement, the Reseller shall cause its Participating  Sellers to:

(a) provide their Data Subjects with all privacy notices, information, and any  necessary choices under Data Protection Laws regarding the use of Participating  Seller Personal Information in connection with the Services as set out in the  Agreement and this DPA, including providing information to Data Subjects for fair,  lawful, and transparent Processing of the Participating Seller Personal  Information when required and obtain any necessary consents to allow the  parties to comply with Data Protection Law;

(b) promptly inform the Sub-Processor when the Participating Seller Personal  Information must be corrected, updated, or deleted, where required by Data  Protection Law; and

(c) ensure that at the point of transferring the Participating Seller Personal  Information to the Sub-Processor, the Participating Seller Personal Information is  adequate, relevant, and limited to what is necessary for the Processing  contemplated under the Agreement and this DPA.

3.2 The Reseller shall comply (and shall cause its third-party auditors to comply) with the Sub Processor’s relevant security policies and appropriate confidentiality obligations as set  out in the Agreement.

4. Sub-Processor Obligations.

4.1 Data Protection Law. If necessary to enable the Reseller’s Participating Sellers to comply  with their obligations under Data Protection Laws, the Sub-Processor shall comply with  the applicable provisions of schedules A and B, each to the extent relevant and required.

4.2 Data Subject Rights. The Sub-Processor shall, to the extent legally permitted, provide  reasonable assistance to the Reseller to respond to requests from Data Subjects to  exercise their rights under Data Protection Law regarding the Participating Seller Personal  Information (e.g., rights to access or delete Participating Seller Personal Information) in a  manner that is consistent with the nature and functionality of the Services. The Reseller  shall submit those requests for assistance to the Sub-Processor. If the Sub-Processor  receives any such request, it shall promptly notify the Reseller, and the Reseller shall  cause its Participating Sellers to handle those requests by a Data Subject in accordance with Data Protection Law.

4.3 Engaging with Sub-Processors. The Sub-Processor shall ensure that when engaging with  another data processor including any Affiliates (a “Sub-Sub-Processor”) for the purposes  of carrying out specific Processing activities related to the Reseller’s Participating Sellers,  there is a written contract in place between the Sub-Processor and the relevant Sub-Sub

Processor. Those written contracts, to the extent applicable to the nature of the Services  provided by the relevant Sub-Sub-Processor, must provide at least the same level of

protection for the Participating Seller Personal Information as set out in this DPA.

4.4 Staff. The Sub-Processor shall ensure that persons authorized to Process the Participating  Seller Personal Information have committed themselves to confidentiality or are under  an appropriate statutory obligation of confidentiality.

4.5 Security of Processing. Taking into account the state of the art, the implementation costs, and the nature, scope, context, and purposes of the Processing, and the risk of varying  likelihood and severity for the rights and freedoms of natural persons, the Sub-Processor  shall implement technical and organizational measures to ensure a level of security  appropriate to that risk. In assessing the appropriate level of security, the Sub-Processor  shall, in particular, take into account the sensitivity of the Personal Information and the  risks that are presented by the Processing, in particular from unauthorized or unlawful  Processing, accidental or unlawful destruction, loss, alteration, unauthorized disclosure  of, or access to the Participating Seller Personal Information transmitted, stored, or  otherwise Processed. The Sub-Processor shall provide reasonable assistance to the  Reseller to ensure the Reseller meets its own compliance obligations for these same  security measures.

4.6 Security Breach.

(a) In the event of an actual Security Breach affecting the Participating Seller Personal  Information contained in the Sub-Processor’s systems, the Sub-Processor shall  (1) investigate the circumstances, extent, and causes of the Security Breach and  report the results to the Reseller and continue to keep the Reseller regularly  informed on the progress of the Sub-Processor’s investigation until the issue has  been effectively resolved, and (2) cooperate with the Reseller in any legally  required notification by the Reseller’s Participating Sellers of affected Data  Subjects.

(b) The Sub-Processor shall promptly notify the Reseller upon the Sub-Processor or  any Sub-Sub-Processor becoming aware of an actual Security Breach affecting the  Participating Seller Personal Information, providing the Reseller with sufficient  information and reasonable assistance to allow the Reseller’s customers to meet  its obligations under Data Protection Law to (1) notify a Supervisory Authority (as  defined under Data Protection Law) of the Security Breach, and (2) communicate  the Security Breach to the relevant Data Subjects.

(c) Except as required by law or regulation, the notifying party shall not make (or  allow any third party to make) any statement concerning the Security Breach that  directly or indirectly references the other party, unless the other party provides  its written authorization.

(d) To the extent that a Security Breach was caused by the Reseller, the Reseller’s  Participating Sellers, or Data Subjects, the Reseller will be responsible for the  costs arising from the Sub-Processor’s provision of assistance under this section 4.6.

4.7 Deletion and Retention. The Sub-Processor shall delete all Participating Seller Personal  Information on termination of the Sub-Processor retention period unless storage is  required by law.

5. Miscellaneous. The terms of this DPA will apply only to the extent required by Data Protection  Law. To the extent not inconsistent with this DPA, the applicable provisions of the Agreement  (including without limitation, indemnifications, limitations of liability, enforcement, and  interpretation) will apply to this DPA. In the event of any conflict between this DPA and the terms  of an applicable Agreement, the terms of this DPA will prevail solely regarding data processing  terms where required by Data Protection Law, and, in all other respects, the terms of the  applicable Agreement will prevail. This DPA does not apply to any data or information that does  not relate to one or more identifiable individuals, which has been aggregated or de-identified in  accordance with Data Protection Law, or to the extent that the Sub-Processor and the Reseller  have entered separate data processing terms that address the subject matter of this DPA.

6. Definitions. Unless otherwise defined in the Agreement (including this DPA), all terms in this DPA  will have the definitions given to them in Data Protection Law.

“Data Protection Law” means any law or regulation pertaining to data protection, privacy, or the  Processing of Personal Information, to the extent applicable for a party’s obligations under the  Agreement and this DPA. This includes, but is not limited to, the General Data Protection  Regulation (Regulation (EU) 2016/679 (the “GDPR”)), UK Data Protection Laws, the California  Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020, and their  implementing regulations (the “CCPA”), Swiss DP Laws, and any associated regulations or any  other legislation or regulations that transpose or supersede the above.

“Data Subject” means any consumer that buys goods or services of the Reseller’s Participating  Sellers, and whose information is submitted by the Reseller’s Participating Sellers to CBH during  the Reseller’s Participating Sellers use of the Services under the Agreement.

“EEA Standard Contractual Clauses” means the Standard Contractual Clauses set out in the  European Implementing Decision (EU) 2021/914 on standard contractual clauses for the transfer  of personal data to third countries under Regulation (EU) 2016/679, as amended or replaced on  one or more occasions by a competent authority under the Data Protection Law, including the  Swiss amendments to the EU Standard Contractual Clauses required by the Swiss Federal Data  Protection Information Commissioner (the “Swiss Addendum”) to the extent applicable.

“Participating Seller Personal Information” means Personal Information originating from the  Reseller’s Participating Sellers or their Data Subjects and provided to or accessed by CBH under the Agreement.

“Personal Information” means all data or information, in any form or format, that identifies,  relates to, describes, is capable of being associated with, or could reasonably be linked, directly  or indirectly, with a particular Data Subject or household or that is regulated as “personal data,”  “personal information,” or otherwise under Data Protection Law. This includes any information  relating to a Data Subject as defined in the Agreement and data relating to legal entities to the  extent they are protected under Swiss DP Laws. This also includes any information relating to an  end user.

“Process” or “Processed” or “Processing” means any operation or set of operations that is  performed on Personal Information, whether or not by automatic means, such as access,  collection, recording, organization, storage, adaptation or alteration, retrieval, disclosure or  otherwise making available, duplication, transmission, combination, blocking, redaction, erasure,

or destruction.

“Security Breach” means a breach of security leading to the accidental or unlawful destruction,  loss, alteration, unauthorized disclosure of, or access to, Personal Information. A Security Breach  includes a “personal data breach” (as defined in the GDPR), a “breach of security of a system” or  similar term (as defined in any other privacy laws), and any other event that compromises the  security, confidentiality, or integrity of Personal Information.

“Swiss DP Laws” means the Federal Act on Data Protection of June 19, 1992 (as updated,  amended, and replaced on one or more occasions), including all implementing ordinances. In this  DPA, in circumstances where and solely to the extent that the Swiss DP Laws apply, references to  the GDPR and its provisions will be construed as references to the Swiss DP Laws and their  corresponding provisions.

“Transfer” means to transmit or otherwise make the Participating Seller Personal Information  available across national borders in circumstances that are restricted by Data Protection Law.

“UK Data Protection Laws” means the GDPR as transposed into United Kingdom national law by  operation of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data  Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (the “UK GDPR”), together with the Data Protection Act 2018, the Data Protection, Privacy and  Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data  protection or privacy legislation in force on one or more occasions in the United Kingdom. In this  DPA, in circumstances where and solely to the extent that the UK GDPR applies, references to the  GDPR and its provisions will be construed as references to the UK GDPR and its corresponding  provisions.

“UK IDTA” means the International Data Transfer Addendum to the EEA Standard Contractual  Clauses issued by the UK Information Commissioner under section 119A(1) Data Protection Act  2018.

Schedule A

California Consumer Privacy Act

This schedule A applies in addition to any terms set out in the body of the DPA when the CCPA applies to  Reseller’s use of the Services for its Participating Sellers.

1. Application.

1.1 This schedule A is applicable solely to the extent that any Participating Seller Personal  Information Processed by CBH while performing the Services is subject to the CCPA.  Despite anything else to the contrary, this schedule A does not apply to any information  that is collected, processed, sold, or disclosed by the parties subject to the Gramm Leach  Bliley Act (“GLBA”).

1.2 Capitalized terms used but not defined in this schedule A will have the meanings assigned  to those terms in the Agreement or, if not defined in the Agreement, in the CCPA. In the  event of a conflict between this schedule A and the Agreement, this schedule A will  prevail, to the extent necessary to ensure compliance with the CCPA.

2. Data Privacy Roles and Obligations.

2.1 For purposes of this schedule A, for Participating Seller Personal Information that CBH processes for the Reseller under the Agreement that is not processed under the GLBA, (1) the Participating Seller acts as a Business as defined under the CCPA, (2) the Reseller  acts as a Service Provider to the Participating Seller, and (3) CBH acts as a separate Service  Provider to the Reseller within the meaning of the CCPA.

2.2 CBH is not acting as a Third Party, nor is CBH providing Cross-Contextual Behavioral  Advertising under this schedule A. If the Reseller seeks to use CBH for those services, the  parties shall agree to a separate schedule with the required clauses and obligations, as  required in the CCPA, as described in California Civil Code § 1798.145(d).

2.3 Each party shall comply with its obligations under the CCPA for any Participating Seller  Personal Information Processed under this schedule A. The Reseller’s use of the Services  must not violate the rights of any Consumer, including those that have opted out from  sales or other disclosures of Participating Seller Personal Information to the extent  applicable under the CCPA.

3. CBH Obligations.

3.1 In its role as a Service Provider, CBH:

(a) shall protect and secure the Participating Seller Personal Information in  accordance with the CCPA and shall provide the same level of privacy protection  as is required by the CCPA;

(b) shall Process the Participating Seller Personal Information only for the specific  business purposes set out in the Agreement;

(c) except as permitted by the CCPA, shall not sell or share the Participating Seller  Personal Information or retain, use, or disclose the Participating Seller Personal  Information (1) for any purpose other than as necessary to fulfill the business  purposes set out in the Agreement, including retaining, using, or disclosing the  Participating Seller Personal Information for a commercial purpose other than the  business purpose set out in the Agreement, or (2) outside of the direct business  relationship between CBH and the Reseller;

(d) shall not combine the Participating Seller Personal Information with Personal  Information that it receives from or for any other persons or entities or collects  from its own interaction with an individual, except as otherwise permitted by the  CCPA;

(e) shall implement reasonable security procedures and practices, appropriate to the  nature of the Personal Information, to protect the Participating Seller Personal  Information from unauthorized or illegal access, destruction, use, modification,  or disclosure;

(f) shall promptly notify the Reseller of any material changes in CBH’s ability to meet  its obligations under the CCPA, including but not limited to any determination  that CBH can no longer meet its obligations under this schedule A;

(g) shall ensure that CBH’s agreement with any sub-processors used to Process  Participating Seller Personal Information complies with the CCPA, including,  without limitation, the contractual requirements for Service Providers and  Contractors;

(h) shall provide reasonable cooperation to the Reseller, on request, to enable the  Reseller to comply with consumer requests made under the CCPA;

(i) grants the Reseller the right to take reasonable and appropriate steps in  accordance with the Agreement to ensure that CBH uses the Participating Seller  Personal Information in a manner consistent with the Reseller’s obligations under  the CCPA;

(j) grants the Reseller the right, upon notice and in accordance with the Agreement,  to take reasonable and appropriate steps to stop and remediate CBH’s  unauthorized use of the Participating Seller Personal Information; and

(k) certifies that it understands its obligations, including restrictions, imposed on it  by the CCPA regarding the Participating Seller Personal Information and will  comply with them.

3.2 Despite section 3.1 of this schedule A, CBH may retain, use, or disclose the Participating  Seller Personal Information as permitted under the CCPA, including:

(a) to retain and employ another Service Provider or Contractor as a subcontractor  in accordance with section 3.1(g) of this schedule A and any other applicable

terms of the Agreement where the subcontractor meets the requirements for a  Service Provider or Contractor under CCPA;

(b) for its internal use to build or improve the quality of the Services, on condition  that CBH does not use the Participating Seller Personal Information to perform  services for another person;

(c) to prevent, detect, or investigate data security incidents or protect against  malicious, deceptive, fraudulent, or illegal activity;

(d) for the purposes enumerated in California Civil Code § 1798.145(a)(1)–(7); or (e) for any other purpose contemplated or permitted by the CCPA or other law.

Schedule B

General Data Protection Regulation, UK GDPR, and Swiss DP Laws

This schedule B applies in addition to any terms set out in the body of the DPA when the GDPR, UK GDPR,  or Swiss DP Laws apply to the Reseller’s Participating Seller’s use of the Services, or to the extent Data  Protection Law imposes a comparable requirement outlined under this schedule B. Capitalized terms not  defined in this schedule B will have the meaning assigned to them under the DPA. If there are any conflicts  between this schedule B and the DPA, this schedule B will prevail.

1. Sub-Processor Obligations.

1.1 Processing of Participating Seller Personal Information. The Sub-Processor shall Process  the Participating Seller Personal Information only in accordance with documented  reasonable instructions from the Reseller (including instructions regarding transfers of  the Participating Seller Personal Information to a third country or territory, if applicable)  unless required to do so by Data Protection Law. In those circumstances, the Sub Processor shall inform the Reseller of that legal requirement before processing, unless  that law prohibits that information on important grounds of public interest. The Sub

Processor shall promptly inform the Reseller if, in the Sub-Processor’s opinion, the  Reseller’s instructions would be in breach of Data Protection Law. The Sub-Processor is  not required to take actions designed to form any such opinion.

1.2 Use of Sub-Sub-Processor.

(a) The Sub-Processor may maintain its Sub-Sub-Processor list through means such  as publication of its Sub-Sub-Processor list online and also update it accordingly.  In accordance with this section 1.2(a) of this schedule B, the Sub-Processor may engage the Sub-Sub-Processors listed. The Reseller acknowledges that the Sub Processor currently engages the Sub-Sub-Processors listed in exhibit 3 of this  DPA.

(b) The Sub-Processor shall inform the Reseller of any intended changes concerning  the addition or replacement of other Sub-Sub-Processors to give the Reseller the  reasonable opportunity to object to those changes. If the Reseller objects to the  Sub-Processor’s change or addition of a Sub-Sub-Processor, the Reseller shall  promptly notify the Sub-Processor of its objections in writing within ten business  days after receipt of the Sub-Processor’s notice of that change or addition.

(c) The Sub-Processor may undertake reasonable efforts to make available to the  Reseller a change in the Services or recommend a commercially reasonable  change to the Reseller’s configuration or use of the Services to avoid the  Processing of the Participating Seller Personal Information by the objected-to  new Sub-Sub-processor. If the Sub-Processor cannot make available that change  within a reasonable period, which must not exceed 30 days, the Reseller may  terminate the Agreement as to only those aspects of the Services that cannot be  provided by the Sub-Processor without using the objected-to new Sub-Sub Processor by notifying the Sub-Processor. If the Services as a whole cannot be

performed without the objected-to new Sub-Sub-Processor, the Reseller may  terminate the entire Agreement, on condition that the Reseller’s objections to  the new Sub-Sub-Processor are reasonable.

(d) The Sub-Processor shall not penalize the Reseller for any termination under  section 1.2(c) of this schedule B.

(e) Data Protection Impact Assessments and Prior Consultation with Regulator. The  Sub-Processor shall provide reasonable assistance to the Reseller with any legally  required (1) data protection impact assessments, and (2) prior consultations  initiated by the Reseller with its regulator in connection with those data  protection impact assessments. That assistance will be limited to the Processing  of the Participating Seller Personal Information by the Sub-Processor for the  Reseller’s Participating Sellers under the Agreement, taking into account the  nature of the Processing and information available to the Sub-Processor.

2. Demonstrating Compliance with this DPA.

2.1 The Sub-Processor shall make available to the Reseller all information necessary to  demonstrate compliance with its obligations under this DPA and allow for (and contribute  to) audits, including inspections conducted by the Reseller or another auditor under the  instruction of the Reseller for the same purposes of demonstrating compliance with the  obligations set out in this DPA.

2.2 The Reseller’s right under section 2.1 of this schedule B is subject to the following:

(a) if the Sub-Processor can demonstrate compliance with its obligations set out in  this DPA by adhering to an approved code of conduct, by obtaining an approved  certification, or by providing the Reseller with an audit report issued by an  independent third-party auditor (on condition that the Reseller shall comply with  appropriate confidentiality obligations as set out in the Agreement and shall not  use that audit report for any other purpose), the Reseller shall not conduct an  audit or inspection under section 2.1 of this schedule B; and

(b) recognizing the time, expense, and potential business disruption caused by audits  and inspections involving interviews and onsite visits, the Reseller shall conduct  those audits and inspections only if the Reseller can demonstrate that the audit  or inspection is necessary and cannot be satisfied by the information provided by  the Sub-Processor under section 2.1 of this schedule B. Those audits and  inspections must (1) occur at reasonable intervals (but no more than once a year),  (2) be conducted on no less than 60 days’ written notice and on a mutually agreed  date, (3) be conducted during normal business hours, (4) be carried out at the  Reseller’s expense, (5) not disrupt the Sub-Processor’s business operations,  (6) not interfere with the interests or operations of the Sub-Processor’s other  customers, and (7) not exceed two consecutive business days.

2.3 Regarding section 2.1 of this schedule B, the Sub-Processor shall promptly inform the  Reseller if, in the Sub-Processor’s opinion, the Reseller’s instructions would be in breach

of Data Protection Law. The Sub-Processor is not required to take actions designed to  form any such opinion.

3. Cross-Border Transfers.

3.1 The Sub-Processor shall comply with the Reseller’s documented instructions concerning  the Transfer of the Participating Seller Personal Information to a third country.

3.2 The Sub-Processor shall Transfer any Participating Seller Personal Information outside the  Participating Seller’s applicable jurisdiction or the Data Subjects’ resident jurisdiction,  including, without limitation, outside the European Economic Area (“EEA”), the UK, or  Switzerland, solely in compliance with Data Protection Law.

3.3 The Reseller acknowledges that the Sub-Processor transfers and stores certain  Participating Seller Personal Information (including relating to individuals located in the  EEA, Switzerland, and the UK) in the United States.

3.4 Transfers Subject to the GDPR, UK GDPR, or Swiss DP Laws. Module 3 (transfer processor  to processor) of the EEA Standard Contractual Clauses applies to any Transfer of the  Participating Seller Personal Information from the EEA, UK, or Switzerland to CBH and any  of its affiliated entities in the United States or other third countries (the “CBH Entities”).  Module 3 (transfer processor to processor) of the EEA Standard Contractual Clauses is  incorporated by reference, and:

(a) the Reseller and any of its commonly owned or controlled affiliates (the “Reseller  Entities”) that have signed an Agreement for the Services will be deemed to be  “data exporters,” and the CBH Entities will be the “data importers;”

(b) clause 7 — Docking clause applies;

(c) clause 9 — Use of subprocessors, option 2, applies, and the “time period” is ten business days;

(d) clause 11(a) — Redress, the optional language does not apply;

(e) clause 13(a) — Supervision

(i) If the data exporter is established in an EU Member State, the following  will apply: “The supervisory authority with responsibility for ensuring  

compliance by the data exporter with Regulation (EU) 2016/679 as  

regards the data transfer, as indicated in Annex I.C, shall act as competent  

supervisory authority;”

(ii) if the data exporter is not established in an EU Member State, but falls  within the territorial scope of application of Regulation (EU) 2016/679 in  

accordance with article 3(2) and has appointed a representative under

article 27(1) of the GDPR, the following will apply: “The supervisory  

authority of the Member State in which the representative within the  

meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as

indicated in Annex I.C, shall act as competent supervisory authority;”

(iii) if the data exporter is not established in an EU Member State but falls  within the territorial scope of application of the GDPR as defined in article  3(2), and is not required to appoint a representative under article 27(2)  of the GDPR, the following will apply: “The supervisory authority of one  of the Member States in which the data subjects whose personal data is  transferred under these Clauses in relation to the offering of goods or  services to them, or whose behaviour is monitored, are located, as  indicated in Annex I.C, shall act as competent supervisory authority;”

(f) clause 17 — Governing law, option 1 applies, and the “Member State” is Bulgaria; (g) clause 18 — Choice of forum and jurisdiction, the “Member State” is Bulgaria; and

(h) the information in exhibit 1 of this schedule B is incorporated into annexes 1, 2,  and 3 of the EEA Standard Contractual Clauses.

3.5 Transfers Subject to the UK GDPR. If the Transfer is subject to the UK GDPR, the EEA  Standard Contractual Clauses and section 3.4 of this schedule B will be read in accordance  with, and deemed amended by, the provisions of part 2 (Mandatory Clauses) of the UK  IDTA. For the purposes of table 4 in part 1 (Tables) of the UK IDTA, the parties select the  “neither party” option. Otherwise, the parties acknowledge that the information required  for the purposes of part 1 (Tables) of the UK IDTA is set out in exhibit 1.

3.6 If there is any conflict or inconsistency between a term in the body of this DPA, an  Agreement, and a term in module 3 (Transfer processor to processor) of the EEA Standard  Contractual Clauses (or, as applicable, the UK IDTA), incorporated into this DPA, the term  in module 3 (Transfer processor to processor) of the EEA Standard Contractual Clauses  (or, as applicable, the UK IDTA) will prevail.

3.7 Transfers Subject to Swiss DP Laws. If the Transfer is subject to the Swiss DP Laws, the  EEA Standard Contractual Clauses and section 3.4 of this schedule B will be read in  accordance with this section 3.7. If the Swiss DP Laws are applicable to a data export  under the EEA Standard Contractual Clauses set out in this DPA, the following  amendments to the EEA Standard Contractual Clauses and section 3.4 of this schedule B

will apply:

(a) the term “Member State” according to clause 18(c) of the EEA Standard  Contractual Clauses must not be interpreted in a way that data subjects in  Switzerland are excluded from exercising their rights, if any, at their place of  habitual residence;

(b) the supervisory authority under clause 13 of the EEA Standard Contractual  Clauses is the Swiss Federal Data Protection and Information Commissioner;

(c) the law applicable to the EEA Standard Contractual Clauses under clause 17 of the  EEA Standard Contractual Clauses will be Swiss DP Laws;

(d) the place of jurisdiction under clause 18(b) of the EEA Standard Contractual  Clauses will be the courts located in the city of Zurich; and

(e) where the EEA Standard Contractual Clauses include references to the GDPR,  those references will be understood as references to the Swiss DP Laws.

Exhibit 1

Information Required for the EEA Standard Contractual Clauses, the UK IDTA, and Swiss DP Laws

Annex I A. List of Parties
Data EXPORTER identity and contact details
Name	Reseller Entities
Address	To be provided on request
Contact person’s name, position and contact  details:	To be provided on request
Activities relevant to the data transferred under  these Clauses:	As set out in the table in exhibit 2 under “Nature  and Purpose of the Processing.”
Role (controller/processor):	Processor
Data IMPORTER identity and contact details
Name	CBH Entities
Address	7360 El Camino Real, Suite A, Atascadero, CA 93422, USA
Contact person’s name, position and contact  details:	privacy@chargebackhelp.com
Activities relevant to the data transferred under  these Clauses:	As set out in the table in exhibit 2 under “Nature  and Purpose of the Processing.”
Role (controller/processor):	Processor
Annex I B. Description of Transfer
Categories of data subjects whose personal data is  transferred	As set out in the table in exhibit 2 under  “Categories of Data Subjects.”
Categories of personal data transferred	As set out in the table in exhibit 2 under “Types of  Personal Information.”
Sensitive data transferred (if applicable) and  applied restrictions or safeguards that fully take  into consideration the nature of the data and the  risks involved, such as for instance strict purpose  limitation, access restrictions (including access  only for staff having followed specialised training),  keeping a record of access to the data, restrictions	Not Applicable

for onward transfers or additional security  measures.
The frequency of the transfer (e.g. whether the  data is transferred on a one-off or continuous  basis).	Continuous
Nature of the processing	As set out in the table in exhibit 2 under “Nature  and Purpose of the Processing.”
Purpose(s) of the data transfer and further  processing	As set out in the table in exhibit 2 under “Nature  and Purpose of the Processing.”
The period for which the personal data will be  retained, or, if that is not possible, the criteria used  to determine that period	Personal data will be retained in accordance with CBH’s retention policies, for only as long as is  required to meet CBH’s legal, regulatory, and  operational requirements and as necessary to  perform services.
For transfers to (sub-) processors, also specify  subject matter, nature and duration of the  processing	As set out in the table in exhibit 2 under “Nature  and Purpose of the Processing.”
Annex I C. Competent Supervisory Authority
Competent supervisory authority/ies	To be provided by the data exporter on request.
Annex II Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of The Data
Description of the technical and organisational measures implemented by the data importer(s)  (including any relevant certifications) to ensure an  appropriate level of security, taking into account  the nature, scope, context and purpose of the  processing, and the risks for the rights and  freedoms of natural persons.	CBH is certified as compliant with all standards  established by the Payment Card Industry Data  Security Standards (“PCI DSS”) that are applicable  to CBH and its affiliates (those standards, the “PCI  Standards”). As evidence of compliance, CBH will  provide its current Attestation of Compliance  signed by a Payment Card Industry Qualified  Security Assessor on the Reseller’s written  request. CBH maintains and enforces  commercially reasonable information security and  physical security policies, procedures, and  standards (the “CBH Information Security  Program”) that are designed to (1) ensure the  security and confidentiality of the Reseller’s  records and information, (2) protect against any  anticipated threats or hazards to the security or  integrity of those records, and (3) protect against  unauthorized access to or use of those records or

	information that could result in substantial harm.  At a minimum, the CBH Information Security  Program aligns with the standards set out in ISO  27002 published by the International Organization  for Standardization, including any revisions,  updates, or successor standards that supersede or  replace it.
For transfers to (sub-) processors, also describe the  specific technical and organisational measures to  be taken by the (sub-) processor to be able to  provide assistance to the controller and, for  transfers from a processor to a sub-processor, to  the data exporter	Initiatives, products, processes, and supporting  technology are assessed from a data privacy  perspective, enabling CBH to embed privacy  controls and mitigate risks at early stages (privacy  by design). CBH maintains a robust privacy risk  assessment framework, including privacy impact  assessments, which is integrated into its change  management processes to ensure that new and  modified personal data processing activities are  reviewed. Customers requiring specific assistance  may submit their requests to  privacy@chargebackhelp.com.
Annex III List of Sub-Processors The controller has authorised the use of the following sub-processors:
As set out in exhibit 3 of this DPA.

Exhibit 2

Details of Processing Participating Seller Personal Information

Service	Nature and purpose of the   processing	Types of personal   information	Categories of data  subjects to whom the  personal information  relates to
Order Insight	CBH facilitates the transfer of  required transaction information to  Verifi, acting as a sub-sub processor. Verifi processes the  information to provide detailed  transaction data to issuing banks  and Consumers, as instructed by  the Controller, to prevent disputes  at the first inquiry.	If the Participating Seller  opts to use the Order Insight  service, CBH will facilitate  the transfer of required  transaction information to  Verifi, acting as a sub-sub processor. Verifi will process  the transaction information,  including order details, as  necessary to fulfill the Order  Insight request with the  issuer. Further details are  provided in the applicable  service documentation at  the time of implementation  of the Service.	Participating Seller’s  employees, agents,  advisors, or   representatives;   Consumers.
CDRN	CBH facilitates the transfer of  required transaction information to  Verifi, acting as a sub-sub processor. Verifi processes the data  to allow Participating Sellers to  resolve non-fraud and confirmed  fraud pre-dispute cases with  refunds or cancellations, thereby  avoiding disputes.	If the Participating Seller  opts to use CDRN, CBH will  facilitate the transfer of  required transaction   information to Verifi, acting  as a sub-sub-processor.  Verifi will process the   transaction information,  including order details, as  necessary to support the  Participating Seller’s   decision-making related to a  pre-dispute case submitted  to the issuer. Further details  are provided in the   applicable service documentation at the time  of implementation of the  Service.	Participating Seller’s  employees, agents,  advisors, or   representatives;   Consumers.
RDR (Rapid	CBH facilitates the transfer of	If the Participating Seller	Participating Seller’s

Dispute   Resolution)	required transaction information to  Verifi, acting as a sub-sub processor. Verifi processes the data  to apply the Participating Seller’s  automatic rules for resolving non fraud and confirmed fraud pre dispute cases, enabling acquirer initiated funds reversals to avoid  disputes.	opts to use RDR, CBH will  facilitate the transfer of  required transaction   information to Verifi, acting  as a sub-sub-processor.  Verifi will process the   transaction information,  including order details, as  necessary to apply the   Participating Seller’s   automatic rules related to a  dispute with the issuer.  Further details are provided  in the applicable service  documentation at the time  of implementation of the  Service.	employees, agents,  advisors, or   representatives;   Consumers.
Fraud and Dispute  Notices	CBH facilitates the transfer of  required transaction information to  Verifi, acting as a sub-sub processor. Verifi processes the  information to provide real-time,  transaction-level notifications that  enhance fraud detection and allow  Participating Sellers to stop order  fulfillment or shipment when  possible.	If the Participating Seller  opts to use the Fraud and  Dispute Notices service, CBH  will facilitate the transfer of  required transaction   information to Verifi, acting  as a sub-sub-processor.  Verifi will process the   transaction information to  provide real-time,   transaction-level   notifications to enhance and  inform fraud detection and  modeling for the   Participating Seller.   Participating Sellers may  also stop order fulfillment or  shipment when possible.  Further details are provided  in the applicable service documentation at the time  of implementation of the  Service.	Participating Seller’s  employees, agents,  advisors, or   representatives;   Consumers.
Dispute   Representment	CBH facilitates the transfer of  required Participating Seller   Personal Information to Verifi,  acting as a sub-sub-processor.  Verifi processes the information, as	If the Participating Seller  opts to use Dispute   Representment, CBH will  facilitate the transfer of  required Data Subjects’,	Participating Seller’s  employees, agents,  advisors, or   representatives;

	required by Card Association rules,  to represent disputes for the  Participating Seller based on  Controller instructions.	cardholder, and transaction  information to Verifi, acting  as a sub-sub-processor.  Verifi will process the   information as necessary to  manage the dispute in   accordance with Card   Association rules. Further  details are provided in the  applicable service   documentation at the time  of implementation of the  Service.	Consumers.
Ethoca Alerts	CBH facilitates the transfer of  required transaction and   cardholder information to   Mastercard (Ethoca), acting as a  sub-sub-processor. Mastercard  processes the data to provide fraud  and dispute alerts to Participating  Sellers, enabling early resolution  and prevention of chargebacks.	Transaction-related   information such as card or  account number (full or  partial), transaction type,  currency and amount,   transaction date and time,  information about the   disputed or queried   transaction and its outcome,  items purchased, history of  the account, merchant order  number, cardholder   information such as name,  address, phone number, IP  address, email address   location, merchant   identifier, as applicable  under the Agreement, and  any other types of Personal  Information listed in the  Agreement. Information of the   Participating Seller’s   representatives such as user  ID, name, role, email, phone,  as applicable.	Participating Seller’s  employees, agents,  advisors, or   representatives;   Consumers.
Ethoca Consumer  Clarity	CBH facilitates the transfer of  required transaction and   cardholder information to   Mastercard (Ethoca), acting as a  sub-sub-processor. Mastercard	Transaction-related   information such as card or  account number (full or  partial), transaction type,  currency and amount,	Participating Seller’s  employees, agents,  advisors, or   representatives;

processes the data to provide  Consumers with detailed   transaction information via issuing  banks, thereby reducing inquiries  and disputes.

transaction date and time,  information about the   disputed or queried   transaction and its outcome,  items purchased, history of  the account, merchant order  number, cardholder   information such as name,  address, phone number, IP  address, email address   location, merchant   identifier, as applicable  under the Agreement, and  any other types of Personal  Information listed in the  Agreement. Information of the   Participating Seller’s   representatives such as user  ID, name, role, email, phone,  as applicable.

Consumers.

Exhibit 3

List of Sub-Sub Processors

Company	Functions Performed	Location	Applicable Service
Verifi, Inc.	Processing transaction information,  chargeback management, dispute  resolution, fraud detection, and  data transfer facilitation for  applicable services.	USA	Order Insight CDRN RDR Fraud and Dispute Notices Dispute Representment
Mastercard Europe S.A.	Processing transaction and  cardholder information for fraud  alerts, dispute prevention, and  detailed transaction clarity.	EU	Ethoca Alerts
Ethoca Limited	Processing transaction and  cardholder information for fraud  alerts, dispute prevention, and  detailed transaction clarity.	Canada	Ethoca Consumer Clarity